Over half of US brokerage and investment firms have been targeted by scams designed to trick them into releasing client funds, regulators say.
Research released by the US Securities and Exchange Commission (SEC) suggests that over half of brokerage companies in the United States have received phishing emails and fraudulent messages aimed at tricking them into wiring away client money. As reported by the Wall Street Journal, the SEC's survey (.PDF) -- which includes responses from 106 broker-dealers and investment advisers -- found that in many cases, companies fell for scams and had to reimburse their clients. In total, 26 percent reported losses of over $5,000, and the highest loss reported by one advisor reached over $75,000.
The report states that 54 percent of brokers and 43 percent of financial advisors have received fraudulent emails seeking a wire transfer of client funds.
The US regulator also said 88 percent of brokers and investment advisors have experienced some form of cyberattack. While specific timing and types were not disclosed, the SEC did say most related to malware and fraudulent emails.
While investors and brokers in the US do have identity validation and authentication procedures, the commission said roughly a quarter of cases where money was released based on fraudulent emails occurred because employees ignored procedure.
In a statement, SEC Chair Mary Jo White commented:
"Cybersecurity threats know no boundaries. That's why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC.
Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks."
Almost two-thirds of broker-dealers -- 65 percent -- reported suspicious emails to the Financial Crimes Enforcement Network (FinCEN) by filing a Suspicious Activity Report (SAR), but only 7 percent reported the fraudulent emails to law enforcement. With the exception of the one $75,000 case, advisors generally did not report incidents to a regulator or law enforcement.
SEC also examined the role of cybersecurity insurance in the field. While over half -- 58 percent -- of broker-dealers have taken out insurance for cyberattacks, only 21 percent of advisors maintain insurance which covers any loss caused by such incidents. SEC said that only one broker-dealer and one advisor have filed claims related to cybersecurity in the past.
In related news, insurance provider Marsh & McLennan (MMC) testified to a US Senate committee in order to plead the case of cyber insurance. While ironic, the firm's testimony -- provided by general counsel and executive vice president Peter Beshar last week -- highlighted the need for the insurance market to provide corporations with a way to counter the risk of cyberattack.
Beshar told the committee:
"Cyber insurance matters because it creates incentives that drive behavioral change in the market place. That is what the Congress, and indeed all of us, are attempting to accomplish."
The executive suggested that applying for cyber insurance would force firms to assess their own strengths, weaknesses and investments, as well as refine and structure the network protection process -- as disciplined procedures for patching software, monitoring and incident response plans would become necessary.
"This process, in and of itself, is an important risk management tool," Beshar noted.
Read on: In the world of security
- Most US businesses vulnerable to insider threats
- Over 90 percent of data breaches in first half of 2014 were preventable
- Bluster, bravado and breaches: Today's 'terrorist' players in cybersecurity
- Mobile malware on the rise worldwide, ransomware hits the spotlight
- Verizon rushes fix for email account open season security flaw
- Microsoft Outlook hacked following Gmail block in China
- High volume DDoS attacks rise in Q3 2014
- Hackers for hire: Anonymous, quick, and not necessarily illegal
- UK hires hackers, convicts to defend corporate networks
- ZeuS variant strikes 150 banks worldwide
Read on: Fixes and Flaws